Personal Identification Information (PII), according to the US District Court (Eastern Dist. of California) applying California’s Song–Beverly Credit Card Act of 1974 (“Credit Card Act”) (Cal. Civ.Code §§ 1747 et seq). In the class action case Capp v. Nordstrom, a customer alleged that Nordstrom requested his email address in connection with a credit card transaction at a Nordstrom retail store for the purpose of sending him an e-receipt. The customer further alleged that Nordstrom then used his email address to send him unsolicited marketing materials in violation of the Credit Card Act. The issue, among others, the court was faced with was whether an email address is PII under the Credit Card Act.
According to the customer, a Nordstrom cashier asked him to provide his email address to receive an electronic receipt. Believing it was required to complete the transaction, the customer provided his email address to the cashier. The cashier then typed the customer’s email address into the portable sales device, at which point in the transaction the customer’s credit card number and email address were recorded in the same portable device. As expected, the customer later received an email with his receipt; however, according to the customer, he also received marketing and promotional materials from Nordstrom “on a nearly daily basis.”
The Credit Card Act
Under the Song-Beverly Credit Card Act, a company that accepts credit cards for business transactions cannot “request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person … or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.” As to the definition of PII, the statute states that PII means “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
The Credit Card Act imposes civil penalties for violations “not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation.”
The statutory definition of PII makes no mention of email addresses. The district court noted that there is no published case deciding the question of whether an email address constitutes PII under the Credit Card Act. Accordingly, without a controlling California Supreme Court decision on point, the district court was tasked with predicting how the California Supreme Court might decide the issue.
To do so, the district court pointed to a recent California Supreme Court case Pineda v. Williams–Sonoma Stores, Inc. (2011). In Pineda, the California Supreme Court interpreted the words “personal identification information” to include a cardholder’s ZIP code. The California Supreme Court’s analysis focused on the notion that a cardholder’s ZIP code can be used, together with the cardholder’s name, to locate his or her full address; and, importantly, a cardholder’s address and her ZIP code both constitute information unnecessary to the sales transaction that can be used for commercial purposes. As the district court put it:
“In this case, an email address is within the scope of the statute’s broad terms concerning the cardholder as well because a cardholder’s email address pertains to or regards to a cardholder in a more specific and personal way than does a ZIP code. Instead of referring to the general area in which a cardholder lives or works, a cardholder’s email address permits direct contact and implicates the privacy interests of a cardholder. Therefore, this Court predicts that the California Supreme Court would decide that an email address constitutes personal identification information as those terms are defined by section 1747.08(b) of the Credit Card Act.”
Nordstrom also argued that the Credit Card Act claim would be necessarily preempted by the CAN-SPAM Act if email addresses were determined to be PII. The district court rejected this argument and held that the customer’s claims were not subject to CAN-SPAM’s preemption because the Credit Card Act applies only to email addresses and does not regulate the content or transmission of the underlying messages.